rspec/rules/S2068/xml/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

https://docs.spring.io/spring-social-twitter/docs/1.1.0.RELEASE/reference/htmlsingle/[Spring-social-twitter] secrets can be stored inside a xml file:

----
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

    <bean id="connectionFactoryLocator" class="org.springframework.social.connect.support.ConnectionFactoryRegistry">
      <property name="connectionFactories">
          <list>
              <bean class="org.springframework.social.twitter.connect.TwitterConnectionFactory">
                  <constructor-arg value="username" />
                  <constructor-arg value="very-secret-password" />   <!-- Sensitive --> 
              </bean>
          </list>
      </property>
  </bean> 
</beans>
----

== Compliant Solution

In https://docs.spring.io/spring-social-twitter/docs/1.1.0.RELEASE/reference/htmlsingle/[spring social twitter], retrieve secrets from environment variables:

----
@Configuration
public class SocialConfig implements SocialConfigurer {

    @Override
    public void addConnectionFactories(ConnectionFactoryConfigurer cfConfig, Environment env) {
        cfConfig.addConnectionFactory(new TwitterConnectionFactory(
            env.getProperty("twitter.consumerKey"),    
            env.getProperty("twitter.consumerSecret")));  <!-- Compliant --> 
    }
}
----

include::../see.adoc[]